I’m pretty sure this used to work.
Expected Behavior
Group owners can add members to the group using the “add members” modal.
Observed Behavior
Group owners see the “add members” modal, but when trying to submit it, they get a 403 error (forbidden).
Observed on two separate sites.
Here’s a screenshot for ya:
It is still working on 2.7.0.beta9 ( 4a2912233c )
Just pulled the latest code from github and re-tested. Confirmed that it’s broken. Steps to reproduce:
Allow users to leave the group freely=True, Allow users to send membership requests to group owners=True, Who can see this group?=Everyone, Who can see this group's members?=Everyone, Who can @mention this group?=Only moderators and admins, Who can message this group?=Only moderators and admins.I assume the user is TL2 or > ?
I was able to get to the bottom of this.
Here’s the line that was causing trouble: discourse/groups_controller.rb at e2e13a70f63605b92b4e521cc9f818061c1ccfb6 · discourse/discourse · GitHub
@Benjamin_D got it right. It’s a TL issue.
There’s a site setting min_trust_level_to_allow_invite, this was set to TL2 while the group owner had TL1.
Should a group owner be allowed to invite users to the group without meeting the trust level req? Seems confusing.
you’re right, I guess he should ? Or maybe he shouldn’t be owner if he doesn’t meet the TL criteria ?
That would make sense too.
Or even just adding a more specific error to this.
E.g. instead of raising the InvalidAccess error with the (en) message: You are not permitted to view the requested resource.
Create a InsufficientTrustLevel error (perhaps as a subclass of InvalidAccess) with a (en) message: You do not have the required trust level to view the requeted resource. At least then admins can know it’s a TL issue and not a bug.
Some notes on where this stuff is defined in the codebase
I can make a PR for that if it it seems like the way to go.
While I agree we need a better error message here, I actually think we regressed here.
A group owner’s role is to manage the membership of their group. If they can’t invite/add users to their group, then the feature is half broken…
@dan can you add that to your list?
Great sleuthing, everyone!
I may be wrong, but I think this situation has arisen as part of the work we’re doing on improving the invite system. We are normalizing invites so they all use the same invitation system, and separating out the functions dealing with existing users. Most recently, we changed it so we notify existing users about topics now via the share button in the topic menu, separately from inviting new users to join the site and contribute to the topic.
We’ll want to do the same for groups - it’s already on our list to work on this, but now I guess it’s become more urgent if it means it’s not possible to add anyone to a group if you don’t have sufficient TL to invite new users to the site.
That limit makes sense when inviting emails to groups. However, it does not make sense when inviting existing users. I fixed this issue in:
This will fix the problem for now, but we are expecting to revamp this area.
This topic was automatically closed after 2 days. New replies are no longer allowed.